Rich gave the stock answer. If you also want to make a search start with this. | rest splunk_server=local servicesNS/-/-/saved/eventtypes
| search title=notable_suppression-* disabled=0
| rename eai:acl.app as app, title as object, search as command, updated as last_updated_readable
| table disabled, app, object, description, last_updated_readable, command
| eval _time=strptime(last_updated_readable,"%Y-%m-%dT%H:%M:%S%z")
| eval isRecent=if(_time>relative_time(now(),"-1h"),true(),null())
| where isnotnull(isRecent)
| rex field=command "_time\>(\=){0,1}(?P<start_time>\d+)"
| eval start_time_readable=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%f%z")
| rex field=command "_time\<(\=){0,1}(?P<end_time>\d+)"
| eval end_time_readable=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%f%z")
| eval end_time_large=if(end_time>relative_time(now(),"+90d"),true(),null())
| eval duration=end_time-start_time
| `uptime2string(duration,duration_readable)`
| append
[ search eventtype=suppression_audit
| fillnull value=unknown suppression, status, user
| fillnull value=modified action
| table _time, suppression, action, status, user
| eval object="notable_suppression-".suppression]
| eventstats values(user) as user, values(action) as action, values(status) as status by object
| where isnull(suppression)
| fillnull value=modified action
| fillnull value=unknown user
| rex mode=sed field=action "s/create/created/"
| rex mode=sed field=action "s/edit/modified/"
| `get_identity4events(user)`
| fields - command
... View more